21 CFR Part 11 - Requirements and New Scope

Feb 15, 2004

In 1997, FDA issued 21 CFR Part 11, which provides criteria for FDA acceptance of electronic records, electronic signatures, and handwritten signatures.1 In response to requests from industry, the regulation allows electronic records to be treated as equivalent to paper records and handwritten signatures. By providing faster and more productive access to documentation and accelerating the approval process, electronic records are expected to be more cost effective for industry and FDA.

The rule applies to FDA-regulated industry segments that must follow Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and current Good Manufacturing Practice (cGMP) requirements.

Analytical development and quality control laboratories that regularly use computers for instrument control, data acquisition, data evaluation, data management, data transfer, and archiving must comply. Part 11 applies whenever computer systems are used for regulated activities, whether they are used as part of an automated analysis system, as part of a network, or as stand-alone machines (for example, for spreadsheet applications or word processing).

The primary requirements of Part 11 include:
  • use of validated computerized systems
  • secure retention of electronic records allowing instant reconstruction of analyses
  • user-independent, computer-generated, time-stamped audit trails
  • system and data security, data integrity, and confidentiality through system access control
  • use of secure electronic signatures
  • use of digital signatures for open systems.

This article describes the rule's interpretation and enforcement as of January 2004, but discussions are ongoing. Updates are important and can be found at FDA's website (www.fda.gov) and at www.labcompliance.com.

Table 1: Records Subject to Part 11
System Validation All computer systems used to generate, maintain, and archive electronic records must be validated to ensure accuracy, reliability, consistent independent performance, and the ability to discern invalid or altered records.

System validation is nothing new for laboratories using computers in a regulated environment. Validating computer systems has been described thoroughly, and most companies have developed strategies for implementation. System validation applies to both new and existing systems, and problems can arise with older systems. These require a formal evaluation and statement of their validation status. If an older system cannot be validated, it should not be used under 21 CFR Part 11. Information on validating software and computer systems is available from several sources.2,3

Electronic Record Retention Procedures should be in place to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Records must be protected to enable their accurate and ready retrieval throughout the records retention period.

FDA expects that final results be kept together with the original data and the procedures for processing the data (metadata). The agency wants to be able to trace final results back to the raw data using the same tools the user had when the data were generated. This is probably one of the most difficult requirements of Part 11, as some records must be kept for ten or more years, and computer hardware and software have a much shorter lifespan.

A second problem lies in deciding exactly which records should be logged and retained. These decisions can be complex, as in quantitative chromatographic analyses. Typically in chromatography data acquisition, preprogrammed methods perform evaluation and printout automatically. Occasionally the preprogrammed integration method proves inappropriate, and analysts must work with the raw data and adjust parameters to generate more appropriate measurements of peak integrations. This is a manual iterative process that is frequently subjective, varying from user to user. Should only the final results with the final acceptable parameters and chromatogram printouts be archived or should all intermediate data be archived as well?

A third problem is maintaining the availability of records throughout the retention period. The challenge lies not with the durability of storage devices (such as CD-ROMs) but with the longevity of computer hardware, operating systems, and application software required to reconstruct the analysis. One approach is to migrate existing data as new systems are adopted.4

Limited Access Procedures should be in place to limit the access to authorized users. Limited access must be ensured through physical and logical security mechanisms. Most companies already have similar procedures in place. Typically, users log onto a system with a user ID and password. However, problems have been reported in analytical laboratories when computer controlled systems collect data over time and users are unable to monitor the system the entire time. To prevent unauthorized access, a screen saver with password protection should be activated.

Further details on system security are discussed in a later article.

lorem ipsum